New “TCP Stealth” tool aims to help sysadmins block spies from exploiting their systems

System administrators who aren’t down with spies commandeering their servers might want to pay attention to this one: A Friday article in German security publication Heise provided technical detail on a GCHQ program called HACIENDA, which the British spy agency apparently uses to port-scan entire countries, and the authors have come up with an Internet Engineering Task Force draft for a new technique to counter this program.

We’ve encountered HACIENDA before; last month The Intercept published a list of GCHQ tools and techniques, which mentioned the program. HACIENDA is a port scanner on steroids – as Heise described in greater detail than previously revealed, the spy agency uses it to find servers that have vulnerable applications running on them, and it shares the results with its “Five Eyes” partners, including the NSA and the spy agencies of Canada, Australia and New Zealand.

The idea is to use those vulnerabilities to stealthily turn the servers into so-called operational relay boxes, or ORBs. When GCHQ or one of its partners wants to attack a target or steal data, they use these ORBs as an attack route, to hide their tracks. As the Heise article pointed out several times, this is pretty much what criminals do.

The decidedly technical article quoted freshly-revealed GCHQ documentation dating back to 2009 to note that HACIENDA was used to fully port-scan 27 countries and partially scan five more, though it redacted the names of the countries.

Enter TCP Stealth

Port scanning generally takes advantage of a fundamental flaw in the TCP protocol, which lets clients and servers talk to each other over the internet. The problem lies in the TCP “three-way handshake” that’s used to establish client-server connections. This handshake leaks information about which services are offered through certain ports, even if the client that’s doing the probing isn’t authorized.

The article’s authors – including Jacob Appelbaum of the Tor project and researchers from the Munich Technical University – have come up with a draft solution that’s currently open for comment on the IETF website. The draft was edited by Holger Kenn of [company]Microsoft[/company] Deutschland.

They aim to standardize a technique called TCP Stealth, which is a modification to the TCP three-way handshake that would allow TCP servers to hide from port scanners while granting a standard TCP handshake to authorized clients. It’s a variation on a longstanding technique called port knocking, designed to take into account GCHQ-grade offensive techniques that may involve compromised infrastructure. The article includes instructions for implementing TCP Stealth on Linux systems using the Knock patch.

TCP Stealth would hopefully stop the spies at the reconnaissance stage, before they even get to exploiting the TCP servers as attack routes. It’s not a cure-all though, as the authors note:

TCP Stealth is useful for any service with a user group that is so small that it is practical to share a passphrase with all members. Examples include administrative SSH or FTP access to servers, Tor Bridges, personal POP3/IMAP(S) servers and friend-to-friend Peer-to-Peer overlay networks.

What’s particularly interesting about the Heise article and the IETF draft is that, as far as I’m aware, it’s the first time deep technical information from surveillance operation leaks has been revealed at the same time as a potential fix. This isn’t just exposure — not that exposure should be downplayed as a weapon — but it’s also actively fighting back at the same time.

Incidentally, if you’re wondering whether the documentation revealed in that Heise piece comes from Edward Snowden, there’s no indication that it does. As James Bamford recently deduced in his recent Wired interview with Snowden, and as The Intercept’s Glenn Greenwald and security guru Bruce Schneier have both suggested, there is in all likelihood a second leaker. Indeed, several articles in Germany’s Der Spiegel, which were also co-authored by Appelbaum and Laura Poitras as this Heise piece was, have exposed details of NSA and GCHQ capabilities without reference to the best-known NSA leaker.